azorult | 106839b29f3e5a9d68e9e3edb18c9e20edb1b165bc1042d576ebe6887f4b4c9a

General

Target

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.zip
Size

440KB
MD5

8692f6bd4fa3ac41af1d33e9c243e67c
SHA1

458634c33f3286890adec73bb41003062a0a23bf
SHA256

106839b29f3e5a9d68e9e3edb18c9e20edb1b165bc1042d576ebe6887f4b4c9a
SHA512

4ae3bfacfbd8e10633d780dfe5275363603c34e3f599e9d54f2373f8201bb531380380114453a9a72f534518f0e01e21cd38bfb6f3e2e0d686eb4e31b7f08b5e
SSDEEP

12288:8iPM9TrqLargEYyHk27qXmfZb8m4XO3nG+6U9L2d:8bdqL8HlwmfZ4XXO3nGmL2d

Score

10^/10

azorult discovery execution infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://5gw4d.xyz/PL341/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

856 powershell.exe
2012 powershell.exe

pid	process
856	powershell.exe
2012	powershell.exe

Executes dropped EXE 6 IoCs

Processes:

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

pid	process
2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2188	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
960	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2928	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2948	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Loads dropped DLL 4 IoCs

Processes:

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

pid	process
2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

description	pid	process	target process
PID 2924 set thread context of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 set thread context of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exepowershell.exeschtasks.exeDllHost.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exepowershell.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1712 schtasks.exe
1736 schtasks.exe

pid	process
1712	schtasks.exe
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

7zFM.exepowershell.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exepowershell.exe

pid	process
1916	7zFM.exe
2012	powershell.exe
1916	7zFM.exe
1916	7zFM.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
856	powershell.exe
1916	7zFM.exe
1916	7zFM.exe
1916	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1916 7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zFM.exepowershell.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1916	7zFM.exe
Token: 35	1916	7zFM.exe
Token: SeSecurityPrivilege	1916	7zFM.exe
Token: SeSecurityPrivilege	1916	7zFM.exe
Token: SeSecurityPrivilege	1916	7zFM.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
Token: SeDebugPrivilege	856	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zFM.exe

pid process

1916 7zFM.exe
1916 7zFM.exe
1916 7zFM.exe
1916 7zFM.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

7zFM.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

description	pid	process	target process
PID 1916 wrote to memory of 2924	1916	7zFM.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 1916 wrote to memory of 2924	1916	7zFM.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 1916 wrote to memory of 2924	1916	7zFM.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 1916 wrote to memory of 2924	1916	7zFM.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 1916 wrote to memory of 2764	1916	7zFM.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 1916 wrote to memory of 2764	1916	7zFM.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 1916 wrote to memory of 2764	1916	7zFM.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 1916 wrote to memory of 2764	1916	7zFM.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2924 wrote to memory of 2012	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	powershell.exe
PID 2924 wrote to memory of 2012	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	powershell.exe
PID 2924 wrote to memory of 2012	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	powershell.exe
PID 2924 wrote to memory of 2012	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	powershell.exe
PID 2924 wrote to memory of 1712	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	schtasks.exe
PID 2924 wrote to memory of 1712	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	schtasks.exe
PID 2924 wrote to memory of 1712	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	schtasks.exe
PID 2924 wrote to memory of 1712	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	schtasks.exe
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2924 wrote to memory of 2188	2924	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 856	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	powershell.exe
PID 2764 wrote to memory of 856	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	powershell.exe
PID 2764 wrote to memory of 856	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	powershell.exe
PID 2764 wrote to memory of 856	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	powershell.exe
PID 2764 wrote to memory of 1736	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	schtasks.exe
PID 2764 wrote to memory of 1736	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	schtasks.exe
PID 2764 wrote to memory of 1736	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	schtasks.exe
PID 2764 wrote to memory of 1736	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	schtasks.exe
PID 2764 wrote to memory of 960	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 960	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 960	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 960	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2948	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2948	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2948	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2948	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
PID 2764 wrote to memory of 2928	2764	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe	722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\7zOC773C7B6\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC773C7B6\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VbxFiQYCyFDgGL.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VbxFiQYCyFDgGL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6068.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\7zOC773C7B6\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC773C7B6\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2188
- C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VbxFiQYCyFDgGL.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VbxFiQYCyFDgGL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FE3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
    3⤵
    - Executes dropped EXE
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
    3⤵
    - Executes dropped EXE
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC77F1D96\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2928

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1776

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2560

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shell32.dll,Options_RunDLL 0
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC773C7B6\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

Filesize
483KB

MD5
7a0093c743fc33a5e111f2fec269f79b

SHA1
feadb2ca02d41f2d834b8577f39a582d4bdd734f

SHA256
722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088

SHA512
77cade5a9e48f8d1da6e689a7881b23a1be165f1be8f26059458766e6fc4db8c03c058beb19dd0f644aebd218371ef487fe31a086e6fbc7089976d0802010eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6068.tmp

Filesize
1KB

MD5
839983a383338385d2618b7548647294

SHA1
7ade3cccc247633fc2f4758ac5369aa71b093dda

SHA256
98f8da2d82809551764c336c3d4a44358cba14e43d64ce097a32835956d599c8

SHA512
a05e763260f3c3943e0eacb723626892b77201e3156b4784480dc7c0b72c17c8f58291078d28c686c942be4b75129a0aec8000aa7ec17512ce17bf8b7d0a292e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TDT7X29M.txt

Filesize
116B

MD5
77b0cff77b526a2901fb72661741be8c

SHA1
1c245e153aa5367bd963ef9649bc8c2b8788a0f3

SHA256
a9b3e62fec512415d84e954d309a9093bc68d8fa52e71c40cdeff840c7398a4f

SHA512
e27e879e2f935e9d28831e45ed92a84c53332ab757e0ff2f5f72543c443757ef1a68fe26db9e53298f43ad6cba262d4c6fd1c4ec7f7453c9b8b7a5a6f7b3dca1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UKSLGP47.txt

Filesize
89B

MD5
a43b87c2bf4930b8cf4b30629f0f0153

SHA1
127da980dc0f3651b8d5b1d293c3b9600515c5aa

SHA256
1529bcf13c9ca336dfaf1fa42b3d4ac2ab4a4a7dbf9de99608c2faa944f272cc

SHA512
9aca4f00dc51d90c4f1b6977b652f4e0641de711b6e5113d9929348811da5fbbd0e0f493c089a35489447ad972be401f87645d510c79d0b901ee44d04ea2ed41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9XEIBZRTU05N4QUZUUKV.temp

Filesize
7KB

MD5
df413e9d28e3932db868bdc93700f88a

SHA1
457981f13635e24f1bae7cf745da70cf2eff578e

SHA256
4b7c5591ef4c4779df22a6b898a45c07e4a6eeccc60a900d6f8017b4594aa678

SHA512
e36c9b80e4953c125abac0ca08cc0961f15e8b475d2ec98df72ba6bf86506d2329e6a5c704f02806538f1e51ab4344f8e57cff60a2049d31a9c13d4e08178f5b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2188-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2188-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2764-57-0x0000000005090000-0x00000000050F6000-memory.dmp

Filesize
408KB

Download
memory/2764-27-0x0000000001250000-0x00000000012D0000-memory.dmp

Filesize
512KB

Download
memory/2924-38-0x0000000004E60000-0x0000000004E82000-memory.dmp

Filesize
136KB

Download
memory/2924-30-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/2924-14-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/2924-13-0x0000000005A30000-0x0000000005A9C000-memory.dmp

Filesize
432KB

Download
memory/2924-12-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/2928-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads